Welcome to SaaS thoughts

Whether you call it Software as a Service (SaaS), Managed Service Provider (MSP) or On-Demand Services, your organization uses the service running “in the cloud”. This blog will discuss these services, their benefits, drawbacks and operations. Are we biased? Yes. We believe that some services make sense for most organizations. Email security is one of those. However as Mark Twain said, “All generalizations are false, even this one.” Each Tuesday we will post information and questions about Software as a Service. Occasionally, we will have a "Guest Post" from either a consultant or vendor posting her/his thoughts on Managed Services generally as well as some degree of specificity based on her/his unique perspective. We encourage your insights, comments and feedback. Welcome.

Email is THE business critical application. In fact, historically, email was one of the drives to create the Internet. Ask any help desk which would cause more contacts: email server is down, Internet access is down or the phone system is down (assuming they can contact the help desk). Without a doubt, it will be the email system. “The email must flow!” (Apologies to Frank Herbert.) This SaaS thought is not about hosted email. That will be discussed in a future SaaS thought. This post is about managed email security.

Background

To understand the security issues of email traffic, you have to have a 20-second review of email traffic flow itself. (The first occurrence of an abbreviation have “mouse over” definitions.)

Email falls under the X.400 Reliable Transfer Service specification. For the purpose of this discussion, it states that mail moves through a series of MTAs as it moves from the email server of the sender to the email server of the recipient. If a message cannot be delivered, the MTA will retry periodically. This “Store and Forward” system allows for the preservation of messages during outages. Each Internet Domain has a Mail Exchange MX record that tells which host processes email for the Domain.

Where to secure the email

Email security can be handled anywhere along the route between the sender and the recipient. Some “handshaking” security is built-in to the X.400 specifications already. However, that is clearly not enough.

Software on the email server

When spam raised it’s ugly head beyond an occasional “Free Kittens!“ message, developers created software to run on the email server itself to handle spam. Usually identified spam was deleted and questionable mail was placed in a “junk mail” folder. This worked well until the traffic caused by incoming spam took up too much bandwidth on the LAN. Unwanted email had to be stopped at the business perimeter.

This approach is still has its uses. Internal email can be scanned for content that should not leave the organization or is deemed “inappropriate”. It is also a good internal layer in a Defense in Depth strategy if needed.

Email security appliances

Put an MTA at the perimeter and you have an email security firewall. Check for inbound spam and also check outbound messages for inappropriate messages. Great idea. It relieves the bandwidth problem and we all go out and congratulate ourselves that we have solved the spam problem!However, there are some problems here as well.

The volume of spam can overwhelm an MTA. – Spammers are driven by economics. Real life example: An Internet marketer mailed ten million e-mails a day offering eavesdropping software for $40. He received 50 orders a day, allowing him to earn $700,000 a year. This is a response rate of 0.000005 percent. If you don’t purchase an appliance that can handle the expected volume, you can be overwhelmed and message traffic will be delayed. If you purchase an appliance that is too large, you have over paid.

Power and cooling – An appliance is still a server in your data center or co-location. Its power and cooling needs adds to your already rising power bill.

End of life – Every device has an end of life—either planned or unplanned. So, you put in a redundant system to handle the unplanned and plan to purchase a new server every 3-5 years. Both raise the cost of securing the email.

Managed service

An email security managed service handles email security “in the cloud”. To use a managed service, you point your MX record (remember that from above?) to one or more of the service’s data centers and they send you clean email. You as the administrator get reports on traffic and you can allow your users to manage their own spam and quarantined email.

So, which is better?

Better for what? Some organizations feel they must have all the servers (and appliances) inside their network. For them, a perimeter appliance is the best option. Some organizations have a UTM firewall that has an email security layer. An example of an excellent UTM device is the Astaro firewall.

For those organizations that follow a Defense in Depth model, putting software on the email server may make sense as an inner ring. Software on the email server makes sense also if the software provides some unique service unavailable by an appliance or managed service. The NEMX SecurExchange is one such piece of software running on a Microsoft Exchange Server.